On 01/02/2021 15:22, Jan Beulich wrote: > We consider this error path of hvm_alloc_ioreq_mfn() to not be possible > to be taken, or otherwise to indicate abuse or a bug somewhere. If there > is abuse of some kind, crashing Dom0 here would mean a system-wide DoS. > Only crash the emulator domain if it's not the (global) control domain; > crash only the guest being serviced otherwise. > > Signed-off-by: Jan Beulich <jbeul...@suse.com>
Honestly, I'm -1 towards this. Asymmetrically shooting things which aren't dom0 only complicates investigations, and doesn't remove the fact that this is an XSA. I do not subscribe to the opinion that keeping dom0 running at all possible costs is the best thing thing for the system. In this particular case, the theoretical cases where it can go wrong might not be the fault of either domain. ~Andrew > > --- a/xen/common/ioreq.c > +++ b/xen/common/ioreq.c > @@ -274,7 +274,7 @@ static int hvm_alloc_ioreq_mfn(struct hv > * The domain can't possibly know about this page yet, so failure > * here is a clear indication of something fishy going on. > */ > - domain_crash(s->emulator); > + domain_crash(is_control_domain(s->emulator) ? s->target : > s->emulator); > return -ENODATA; > } > >
